<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <meta content="Cask Data, Inc." name="author" />
<meta content="Copyright © 2014-2017 Cask Data, Inc." name="copyright" />


    <meta name="git_release" content="6.1.1">
    <meta name="git_hash" content="05fbac36f9f7aadeb44f5728cea35136dbc243e5">
    <meta name="git_timestamp" content="2020-02-09 08:22:47 +0800">
    <title>Perimeter Security</title>

    <link rel="stylesheet" href="../_static/cdap-bootstrap.css" type="text/css" />
    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
    <link rel="stylesheet" href="../_static/bootstrap-3.3.6/css/bootstrap.min.css" type="text/css" />
    <link rel="stylesheet" href="../_static/bootstrap-3.3.6/css/bootstrap-theme.min.css" type="text/css" />
    <link rel="stylesheet" href="../_static/css/bootstrap-sphinx.css" type="text/css" />
    <link rel="stylesheet" href="../_static/css/cdap-dynamicscrollspy-4.css" type="text/css" />
    <link rel="stylesheet" href="../_static/css/jquery.mCustomScrollbar.css" type="text/css" />
    <link rel="stylesheet" href="../_static/css/cdap-jquery.mCustomScrollbar.css" type="text/css" />
    <link rel="stylesheet" href="../_static/css/abixTreeList-2.css" type="text/css" />
    <link rel="stylesheet" href="../_static/cdap-bootstrap.css" type="text/css" />

    <script type="text/javascript">
      var DOCUMENTATION_OPTIONS = {
        URL_ROOT:    '',
        VERSION:     '6.1.1',
        COLLAPSE_INDEX: false,
        FILE_SUFFIX: '.html',
        HAS_SOURCE:  false
      };
    </script>
    <script type="text/javascript" src="../_static/jquery.js"></script>
    <script type="text/javascript" src="../_static/underscore.js"></script>
    <script type="text/javascript" src="../_static/doctools.js"></script>
    <script type="text/javascript" src="../_static/language_data.js"></script>

    <link rel="shortcut icon" href="../_static/favicon.ico"/>
    <link rel="index" title="Index" href="../genindex.html" />
    <link rel="search" title="Search" href="../search.html" />
    <link rel="top" title="Cask Data Application Platform 6.1.1 Documentation" href="../index.html" />
    <link rel="up" title="Security" href="index.html" />
    <link rel="next" title="Authorization" href="authorization.html" />
    <link rel="prev" title="Security" href="index.html" />
    <!-- block extrahead -->
    <meta charset='utf-8'>
    <meta http-equiv='X-UA-Compatible' content='IE=edge,chrome=1'>
    <meta name='viewport' content='width=device-width, initial-scale=1.0, maximum-scale=1'>
    <meta name="apple-mobile-web-app-capable" content="yes">
    <!-- block extrahead end -->

</head>
<body role="document">

<!-- block navbar -->
<div id="navbar" class="navbar navbar-inverse navbar-default navbar-fixed-top">
    <div class="container-fluid">
      <div class="row">
        <div class="navbar-header">
          <!-- .btn-navbar is used as the toggle for collapsed navbar content -->
          <a class="navbar-brand" href="../table-of-contents/../../index.html">
            <span><img alt="CDAP logo" src="../_static/cdap_logo.svg"/></span>
          </a>

          <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".nav-collapse">
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
          </button>

          <div class="pull-right">
            <div class="dropdown version-dropdown">
              <a href="#" class="dropdown-toggle" data-toggle="dropdown"
                role="button" aria-haspopup="true" aria-expanded="false">
                v 6.1.1 <span class="caret"></span>
              </a>
              <ul class="dropdown-menu">
                <li><a href="//docs.cdap.io/cdap/5.1.2/en/index.html">v 5.1.2</a></li>
                <li><a href="//docs.cdap.io/cdap/4.3.4/en/index.html">v 4.3.4</a></li>
              </ul>
            </div>
          </div>
          <form class="navbar-form navbar-right navbar-search" action="../search.html" method="get">
            <div class="form-group">
              <div class="navbar-search-image material-icons"></div>
              <input type="text" name="q" class="form-control" placeholder="  Search" />
            </div>
            <input type="hidden" name="check_keywords" value="yes" />
            <input type="hidden" name="area" value="default" />
          </form>

          <div class="collapse navbar-collapse nav-collapse navbar-right navbar-navigation">
            <ul class="nav navbar-nav"><li class="docsite-nav-tab-container"><a class="docsite-nav-tab-link " href="../table-of-contents/../../index.html">简介</a></li><li class="docsite-nav-tab-container"><a class="docsite-nav-tab-link current" href="../table-of-contents/../../guides.html">手册</a></li><li class="docsite-nav-tab-container"><a class="docsite-nav-tab-link " href="../table-of-contents/../../reference-manual/index.html">参考</a></li><li class="docsite-nav-tab-container"><a class="docsite-nav-tab-link " href="../table-of-contents/../../faqs/index.html">帮助</a></li>
            </ul>
          </div>

        </div>
      </div>
    </div>
  </div><!-- block navbar end -->
<!-- block main content -->
<div class="main-container container">
  <div class="row"><div class="col-md-2">
      <div id="sidebar" class="bs-sidenav scrollable-y-outside" role="complementary">
<!-- theme_manual: admin-manual -->
<!-- theme_manual_highlight: guides -->
<!-- sidebar_title_link: ../table-of-contents/../../guides.html -->

  <div role="note" aria-label="manuals links"><h3><a href="../table-of-contents/../../guides.html">Guides</a></h3>

    <ul class="this-page-menu">
      <li class="toctree-l1"><a href="../table-of-contents/../../user-guide/index.html" rel="nofollow">用户手册</a>
      </li>
      <li class="toctree-l1"><a href="../table-of-contents/../../developer-manual/index.html" rel="nofollow">开发手册</a>
      </li>
      <li class="toctree-l1"><b><a href="../table-of-contents/../../admin-manual/index.html" rel="nofollow">管理手册</a></b>
      <nav class="pagenav">
      <ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../index.html"> Introduction</a></li>
<li class="toctree-l1"><a class="reference internal" href="../cdap-components.html"> CDAP Components</a></li>
<li class="toctree-l1"><a class="reference internal" href="../deployment-architectures.html"> Deployment Architectures</a></li>
<li class="toctree-l1"><a class="reference internal" href="../hadoop-compatibility.html"> Hadoop Compatibility</a></li>
<li class="toctree-l1"><a class="reference internal" href="../cdap-hadoop-compatibility.html"> CDAP and Hadoop Compatibility</a></li>
<li class="toctree-l1"><a class="reference internal" href="../system-requirements.html"> System Requirements</a></li>
<li class="toctree-l1"><a class="reference internal" href="../installation/index.html"> Installation</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../installation/cloudera.html">Cloudera Manager</a></li>
<li class="toctree-l2"><a class="reference internal" href="../installation/emr.html">Amazon EMR</a></li>
<li class="toctree-l2"><a class="reference internal" href="../installation/ambari.html">Apache Ambari</a></li>
<li class="toctree-l2"><a class="reference internal" href="../installation/mapr.html">MapR</a></li>
<li class="toctree-l2"><a class="reference internal" href="../installation/azure-hdinsight.html">Microsoft Azure HDInsight</a></li>
<li class="toctree-l2"><a class="reference internal" href="../installation/packages.html">Packages</a></li>
<li class="toctree-l2"><a class="reference internal" href="../installation/replication.html">Replication</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../incompatibilities.html"> Incompatibilities</a></li>
<li class="toctree-l1"><a class="reference internal" href="../upgrading/index.html"> Upgrading</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../upgrading/cloudera.html">Cloudera Manager</a></li>
<li class="toctree-l2"><a class="reference internal" href="../upgrading/ambari.html">Apache Ambari</a></li>
<li class="toctree-l2"><a class="reference internal" href="../upgrading/mapr.html">MapR</a></li>
<li class="toctree-l2"><a class="reference internal" href="../upgrading/packages.html">Packages</a></li>
</ul>
</li>
<li class="toctree-l1 current"><a class="reference internal" href="index.html"> Security</a><ul class="current">
<li class="toctree-l2 current"><a class="current reference internal" href="#">Perimeter Security</a></li>
<li class="toctree-l2"><a class="reference internal" href="authorization.html">Authorization</a></li>
<li class="toctree-l2"><a class="reference internal" href="impersonation.html">Impersonation</a></li>
<li class="toctree-l2"><a class="reference internal" href="system-services.html">Enabling SSL for System Services</a></li>
<li class="toctree-l2"><a class="reference internal" href="secure-storage.html">Secure Storage</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../operations/index.html"> Operations</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../operations/logging.html"> Logging and Monitoring</a></li>
<li class="toctree-l2"><a class="reference internal" href="../operations/metrics.html"> Metrics</a></li>
<li class="toctree-l2"><a class="reference internal" href="../operations/operations-dashboard.html"> Dashboard and Reports</a></li>
<li class="toctree-l2"><a class="reference internal" href="../operations/preferences.html"> Preferences and Runtime Arguments</a></li>
<li class="toctree-l2"><a class="reference internal" href="../operations/scaling-instances.html"> Scaling Instances</a></li>
<li class="toctree-l2"><a class="reference internal" href="../operations/resource-guarantees.html"> Resource Guarantees in YARN</a></li>
<li class="toctree-l2"><a class="reference internal" href="../operations/tx-maintenance.html"> Transaction Service Maintenance</a></li>
<li class="toctree-l2"><a class="reference internal" href="../operations/cdap-ui.html"> CDAP UI</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../appendices/index.html"> Appendices</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../appendices/cdap-site.html"> Appendix: cdap-site.xml</a></li>
<li class="toctree-l2"><a class="reference internal" href="../appendices/cdap-security.html"> Appendix: cdap-security.xml</a></li>
<li class="toctree-l2"><a class="reference internal" href="../appendices/minimal-cdap-site.html"> Appendix: Minimal cdap-site.xml</a></li>
<li class="toctree-l2"><a class="reference internal" href="../appendices/hbase-ddl-executor.html"> Appendix: HBaseDDLExecutor</a></li>
</ul>
</li>
</ul>
</nav>
      </li>
      <li class="toctree-l1"><a href="../table-of-contents/../../integrations/index.html" rel="nofollow">集成手册</a>
      </li>
      <li class="toctree-l1"><a href="../table-of-contents/../../examples-manual/index.html" rel="nofollow">最佳实践</a>
      </li>
    </ul>
  </div></div>
    </div><div class="col-md-8 content" id="main-content">
    
  <div class="section" id="perimeter-security">
<span id="admin-perimeter-security"></span><h1>Perimeter Security<a class="headerlink" href="#perimeter-security" title="Permalink to this headline">🔗</a></h1>
<div class="section" id="enabling-perimeter-security">
<span id="id1"></span><h2>Enabling Perimeter Security<a class="headerlink" href="#enabling-perimeter-security" title="Permalink to this headline">🔗</a></h2>
<p>Follow the instructions below for enabling perimeter security, either for CDAP Sandbox or Distributed CDAP,
depending on your installation. Client authentication, once security has been enabled, is described in the
开发手册 section <a class="reference external" href="../../../developer-manual/security/client-authentication.html#client-authentication" title="(in Cask Data Application Platform v6.1.1)"><span>Client Authentication</span></a>.</p>
<div class="section" id="enabling-perimeter-security-cdap-sandbox">
<h3>Enabling Perimeter Security (CDAP Sandbox)<a class="headerlink" href="#enabling-perimeter-security-cdap-sandbox" title="Permalink to this headline">🔗</a></h3>
<p>To enable security in <span class="xref std std-term">CDAP Sandbox</span>, add these properties to <code class="docutils literal notranslate"><span class="pre">cdap-site.xml</span></code>:</p>
<table border="1" class="docutils">
<colgroup>
<col width="39%" />
<col width="17%" />
<col width="44%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Property</th>
<th class="head">Value</th>
<th class="head">Description</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">security.enabled</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">true</span></code></td>
<td>Enables authentication for CDAP. When set to <code class="docutils literal notranslate"><span class="pre">true</span></code>
all requests to CDAP must provide a valid access
token.</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal notranslate"><span class="pre">security.auth.server.announce.address</span></code></td>
<td>&#160;</td>
<td>CDAP Authentication service announce address, in the
format of host:port. This is the address that clients
should use to communicate with the Authentication
Server. Leave empty (the default value) to use the
default address generated by the Authentication Server.</td>
</tr>
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">security.auth.server.bind.address</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">0.0.0.0</span></code></td>
<td>IP address that the CDAP Authentication Server should
bind to (default value shown)</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal notranslate"><span class="pre">security.auth.server.bind.port</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">10009</span></code></td>
<td>CDAP Authentication service bind port (default value
shown)</td>
</tr>
</tbody>
</table>
<p>Client Authentication then needs to be configured, as described below under
<a class="reference internal" href="#installation-configuring-authentication-mechanisms"><span class="std std-ref">Configuring Authentication Mechanisms</span></a>.
With CDAP Sandbox, the simplest is <a class="reference internal" href="#installation-basic-authentication"><span class="std std-ref">Basic Authentication</span></a>.</p>
</div>
<div class="section" id="enabling-perimeter-security-distributed-cdap">
<h3>Enabling Perimeter Security (Distributed CDAP)<a class="headerlink" href="#enabling-perimeter-security-distributed-cdap" title="Permalink to this headline">🔗</a></h3>
<p>To enable security in <span class="xref std std-term">Distributed CDAP</span>, add these properties to <code class="docutils literal notranslate"><span class="pre">cdap-site.xml</span></code>:</p>
<table border="1" class="docutils">
<colgroup>
<col width="39%" />
<col width="17%" />
<col width="44%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Property</th>
<th class="head">Value</th>
<th class="head">Description</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">security.enabled</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">true</span></code></td>
<td>Enables authentication for CDAP. When set to <code class="docutils literal notranslate"><span class="pre">true</span></code>
all requests to CDAP must provide a valid access
token.</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal notranslate"><span class="pre">security.auth.server.announce.address</span></code></td>
<td>&#160;</td>
<td>CDAP Authentication service announce address, in the
format of host:port. This is the address that clients
should use to communicate with the Authentication
Server. Leave empty (the default value) to use the
default address generated by the Authentication Server.</td>
</tr>
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">security.auth.server.bind.address</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">0.0.0.0</span></code></td>
<td>IP address that the CDAP Authentication Server should
bind to (default value shown)</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal notranslate"><span class="pre">security.auth.server.bind.port</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">10009</span></code></td>
<td>CDAP Authentication service bind port (default value
shown)</td>
</tr>
</tbody>
</table>
<div class="section" id="configuring-kerberos-required">
<h4>Configuring Kerberos (required)<a class="headerlink" href="#configuring-kerberos-required" title="Permalink to this headline">🔗</a></h4>
<p>To configure Kerberos authentication for various CDAP services, add these properties to <code class="docutils literal notranslate"><span class="pre">cdap-site.xml</span></code>:</p>
<table border="1" class="docutils">
<colgroup>
<col width="40%" />
<col width="16%" />
<col width="44%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Property</th>
<th class="head">Value</th>
<th class="head">Description</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">kerberos.auth.enabled</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">security.enabled</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">true</span></code> to enable Kerberos authentication</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal notranslate"><span class="pre">cdap.master.kerberos.keytab</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;filepath&gt;</span></code></td>
<td>Kerberos keytab file path, either absolute or relative</td>
</tr>
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">cdap.master.kerberos.principal</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;principal&gt;</span></code></td>
<td>Kerberos principal associated with the keytab</td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="configuring-zookeeper-required">
<h4>Configuring ZooKeeper (required)<a class="headerlink" href="#configuring-zookeeper-required" title="Permalink to this headline">🔗</a></h4>
<p>To configure ZooKeeper to enable SASL authentication, add the following to your <code class="docutils literal notranslate"><span class="pre">zoo.cfg</span></code>:</p>
<div class="highlight-java notranslate"><div class="highlight"><pre><span></span><span class="n">authProvider</span><span class="mf">.1</span><span class="o">=</span><span class="n">org</span><span class="p">.</span><span class="na">apache</span><span class="p">.</span><span class="na">zookeeper</span><span class="p">.</span><span class="na">server</span><span class="p">.</span><span class="na">auth</span><span class="p">.</span><span class="na">SASLAuthenticationProvider</span>
<span class="n">jaasLoginRenew</span><span class="o">=</span><span class="mi">3600000</span>
<span class="n">kerberos</span><span class="p">.</span><span class="na">removeHostFromPrincipal</span><span class="o">=</span><span class="kc">true</span>
<span class="n">kerberos</span><span class="p">.</span><span class="na">removeRealmFromPrincipal</span><span class="o">=</span><span class="kc">true</span>
</pre></div>
</div>
<p>This will let ZooKeeper use the <code class="docutils literal notranslate"><span class="pre">SASLAuthenticationProvider</span></code> as an auth provider, and the <code class="docutils literal notranslate"><span class="pre">jaasLoginRenew</span></code> line
will cause the ZooKeeper server to renew its Kerberos ticket once an hour.</p>
<p>Then, create a <code class="docutils literal notranslate"><span class="pre">jaas.conf</span></code> file for your ZooKeeper server:</p>
<div class="highlight-java notranslate"><div class="highlight"><pre><span></span><span class="n">Server</span> <span class="p">{</span>
     <span class="n">com</span><span class="p">.</span><span class="na">sun</span><span class="p">.</span><span class="na">security</span><span class="p">.</span><span class="na">auth</span><span class="p">.</span><span class="na">module</span><span class="p">.</span><span class="na">Krb5LoginModule</span> <span class="n">required</span>
     <span class="n">useKeyTab</span><span class="o">=</span><span class="kc">true</span>
     <span class="n">keyTab</span><span class="o">=</span><span class="s">&quot;/path/to/zookeeper.keytab&quot;</span>
     <span class="n">storeKey</span><span class="o">=</span><span class="kc">true</span>
     <span class="n">useTicketCache</span><span class="o">=</span><span class="kc">false</span>
     <span class="n">principal</span><span class="o">=</span><span class="s">&quot;&lt;your-zookeeper-principal&gt;&quot;</span><span class="p">;</span>
<span class="p">};</span>
</pre></div>
</div>
<p>The keytab file must be readable by the ZooKeeper server, and <code class="docutils literal notranslate"><span class="pre">&lt;your-zookeeper-principal&gt;</span></code> must correspond
to the keytab file.</p>
<p>Finally, start ZooKeeper server with the following JVM option:</p>
<div class="highlight-java notranslate"><div class="highlight"><pre><span></span><span class="o">-</span><span class="n">Djava</span><span class="p">.</span><span class="na">security</span><span class="p">.</span><span class="na">auth</span><span class="p">.</span><span class="na">login</span><span class="p">.</span><span class="na">config</span><span class="o">=/</span><span class="n">path</span><span class="o">/</span><span class="n">to</span><span class="o">/</span><span class="n">jaas</span><span class="p">.</span><span class="na">conf</span>
</pre></div>
</div>
</div>
<div class="section" id="accessing-cdap-services-with-ssl">
<span id="running-servers-with-ssl"></span><h4>Accessing CDAP Services with SSL<a class="headerlink" href="#accessing-cdap-services-with-ssl" title="Permalink to this headline">🔗</a></h4>
<p>To enable running the CDAP Router with SSL, add this property to <code class="docutils literal notranslate"><span class="pre">cdap-site.xml</span></code>:</p>
<table border="1" class="docutils">
<colgroup>
<col width="40%" />
<col width="16%" />
<col width="44%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Property</th>
<th class="head">Value</th>
<th class="head">Description</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">ssl.external.enabled</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">true</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">true</span></code> to enable SSL for external services</td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="default-ports">
<h4>Default Ports<a class="headerlink" href="#default-ports" title="Permalink to this headline">🔗</a></h4>
<p><strong>Without SSL</strong>, these properties have—unless set specifically—these default values:</p>
<table border="1" class="docutils">
<colgroup>
<col width="40%" />
<col width="16%" />
<col width="44%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Property</th>
<th class="head">Default Value</th>
<th class="head">Description</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">router.bind.port</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">11015</span></code></td>
<td>Port number that the CDAP Router should bind to for
HTTP Connections</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal notranslate"><span class="pre">security.auth.server.bind.port</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">10009</span></code></td>
<td>Port number that the CDAP Authentication Server should
bind to for HTTP Connections</td>
</tr>
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">dashboard.bind.port</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">11011</span></code></td>
<td>Port number that the CDAP UI should
bind to for HTTP Connections</td>
</tr>
</tbody>
</table>
<p><strong>With SSL</strong>, these properties have—unless set specifically—these default values:</p>
<table border="1" class="docutils">
<colgroup>
<col width="40%" />
<col width="16%" />
<col width="44%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Property</th>
<th class="head">Default Value</th>
<th class="head">Description</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">router.ssl.bind.port</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">10443</span></code></td>
<td>Port number that the CDAP router should bind to for
HTTPS Connections</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal notranslate"><span class="pre">security.auth.server.ssl.bind.port</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">10010</span></code></td>
<td>Port number that the CDAP Authentication Server should
bind to for HTTPS Connections</td>
</tr>
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">dashboard.ssl.bind.port</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">9443</span></code></td>
<td>Port number that the CDAP UI should bind to for
HTTPS Connections</td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="configuring-ssl-for-the-authentication-server">
<h4>Configuring SSL for the Authentication Server<a class="headerlink" href="#configuring-ssl-for-the-authentication-server" title="Permalink to this headline">🔗</a></h4>
<p>To configure the granting of <code class="docutils literal notranslate"><span class="pre">AccessToken</span></code>s via SSL, add these properties to <code class="docutils literal notranslate"><span class="pre">cdap-security.xml</span></code>:</p>
<table border="1" class="docutils">
<colgroup>
<col width="40%" />
<col width="16%" />
<col width="44%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Property</th>
<th class="head">Value</th>
<th class="head">Description</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">security.auth.server.ssl.keystore.path</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;filepath&gt;</span></code></td>
<td>Keystore file location, either absolute
or relative; the file should be owned and
readable only by the CDAP user</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal notranslate"><span class="pre">security.auth.server.ssl.keystore.password</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;password&gt;</span></code></td>
<td>Keystore password</td>
</tr>
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">security.auth.server.ssl.keystore.keypassword</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;password&gt;</span></code></td>
<td>Keystore key password</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal notranslate"><span class="pre">security.auth.server.ssl.keystore.type</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">JKS</span></code></td>
<td>Keystore file type (default <code class="docutils literal notranslate"><span class="pre">JKS</span></code>)</td>
</tr>
</tbody>
</table>
<p>To configure client certificate based authentication via 2-way SSL, add these properties to <code class="docutils literal notranslate"><span class="pre">cdap-site.xml</span></code>:</p>
<table border="1" class="docutils">
<colgroup>
<col width="40%" />
<col width="16%" />
<col width="44%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Property</th>
<th class="head">Value</th>
<th class="head">Description</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">security.auth.server.ssl.truststore.path</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;filepath&gt;</span></code></td>
<td>Truststore file location, either absolute
or relative; the file should be owned and
readable only by the CDAP user</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal notranslate"><span class="pre">security.auth.server.ssl.truststore.password</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;password&gt;</span></code></td>
<td>Keystore password</td>
</tr>
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">security.auth.server.ssl.truststore.type</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">JKS</span></code></td>
<td>Keystore file type (default <code class="docutils literal notranslate"><span class="pre">JKS</span></code>)</td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="configuring-ssl-for-the-router">
<h4>Configuring SSL for the Router<a class="headerlink" href="#configuring-ssl-for-the-router" title="Permalink to this headline">🔗</a></h4>
<p>To configure SSL for the Router, add these properties to <code class="docutils literal notranslate"><span class="pre">cdap-security.xml</span></code>:</p>
<table border="1" class="docutils">
<colgroup>
<col width="40%" />
<col width="16%" />
<col width="44%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Property</th>
<th class="head">Value</th>
<th class="head">Description</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">router.ssl.keystore.path</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;filepath&gt;</span></code></td>
<td>Keystore file location, either absolute
or relative; the file should be owned and
readable only by the CDAP user</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal notranslate"><span class="pre">router.ssl.keystore.password</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;password&gt;</span></code></td>
<td>Keystore password</td>
</tr>
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">router.ssl.keystore.keypassword</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;password&gt;</span></code></td>
<td>Keystore key password</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal notranslate"><span class="pre">router.ssl.keystore.type</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">JKS</span></code></td>
<td>Keystore file type (default <code class="docutils literal notranslate"><span class="pre">JKS</span></code>)</td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="configuring-ssl-for-the-cdap-ui">
<h4>Configuring SSL for the CDAP UI<a class="headerlink" href="#configuring-ssl-for-the-cdap-ui" title="Permalink to this headline">🔗</a></h4>
<p>To enable SSL for the CDAP UI, add these properties to <code class="docutils literal notranslate"><span class="pre">cdap-security.xml</span></code>:</p>
<table border="1" class="docutils">
<colgroup>
<col width="40%" />
<col width="16%" />
<col width="44%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Property</th>
<th class="head">Value</th>
<th class="head">Description</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">dashboard.ssl.cert</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;filepath&gt;</span></code></td>
<td>SSL cert file location, either absolute
or relative; the file should be owned and
readable only by the CDAP user</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal notranslate"><span class="pre">dashboard.ssl.key</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;filepath&gt;</span></code></td>
<td>SSL key file location, either absolute
or relative; the file should be owned and
readable only by the CDAP user</td>
</tr>
</tbody>
</table>
<p><strong>Note:</strong> To enable SSL for the CDAP UI and allow <strong>self-signed certificates</strong>, add this property to <code class="docutils literal notranslate"><span class="pre">cdap-site.xml</span></code>:</p>
<table border="1" class="docutils">
<colgroup>
<col width="40%" />
<col width="16%" />
<col width="44%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Property</th>
<th class="head">Value</th>
<th class="head">Description</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">dashboard.ssl.disable.cert.check</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">true</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">true</span></code> to disable SSL certificate check from the
CDAP UI</td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="enabling-access-logging">
<span id="enable-access-logging"></span><h4>Enabling Access Logging<a class="headerlink" href="#enabling-access-logging" title="Permalink to this headline">🔗</a></h4>
<p>To enable access logging, add the following to <code class="docutils literal notranslate"><span class="pre">logback.xml</span></code> (typically under <code class="docutils literal notranslate"><span class="pre">/etc/cdap/conf/</span></code>)</p>
<div class="highlight-console notranslate"><div class="highlight"><pre><span></span><span class="go">&lt;appender name=&quot;AUDIT&quot; class=&quot;ch.qos.logback.core.rolling.RollingFileAppender&quot;&gt;</span>
<span class="go">  &lt;file&gt;access.log&lt;/file&gt;</span>
<span class="go">  &lt;rollingPolicy class=&quot;ch.qos.logback.core.rolling.TimeBasedRollingPolicy&quot;&gt;</span>
<span class="go">    &lt;fileNamePattern&gt;access.log.%d{yyyy-MM-dd}&lt;/fileNamePattern&gt;</span>
<span class="go">    &lt;maxHistory&gt;30&lt;/maxHistory&gt;</span>
<span class="go">  &lt;/rollingPolicy&gt;</span>
<span class="go">  &lt;encoder&gt;</span>
<span class="go">    &lt;pattern&gt;%msg%n&lt;/pattern&gt;</span>
<span class="go">  &lt;/encoder&gt;</span>
<span class="go">&lt;/appender&gt;</span>
<span class="go">&lt;logger name=&quot;http-access&quot; level=&quot;TRACE&quot; additivity=&quot;false&quot;&gt;</span>
<span class="go">  &lt;appender-ref ref=&quot;AUDIT&quot; /&gt;</span>
<span class="go">&lt;/logger&gt;</span>

<span class="go">&lt;appender name=&quot;EXTERNAL_AUTH_AUDIT&quot; class=&quot;ch.qos.logback.core.rolling.RollingFileAppender&quot;&gt;</span>
<span class="go">  &lt;file&gt;external_auth_access.log&lt;/file&gt;</span>
<span class="go">  &lt;rollingPolicy class=&quot;ch.qos.logback.core.rolling.TimeBasedRollingPolicy&quot;&gt;</span>
<span class="go">    &lt;fileNamePattern&gt;external_auth_access.log.%d{yyyy-MM-dd}&lt;/fileNamePattern&gt;</span>
<span class="go">    &lt;maxHistory&gt;30&lt;/maxHistory&gt;</span>
<span class="go">  &lt;/rollingPolicy&gt;</span>
<span class="go">  &lt;encoder&gt;</span>
<span class="go">    &lt;pattern&gt;%msg%n&lt;/pattern&gt;</span>
<span class="go">  &lt;/encoder&gt;</span>
<span class="go">&lt;/appender&gt;</span>
<span class="go">&lt;logger name=&quot;external-auth-access&quot; level=&quot;TRACE&quot; additivity=&quot;false&quot;&gt;</span>
<span class="go">  &lt;appender-ref ref=&quot;EXTERNAL_AUTH_AUDIT&quot; /&gt;</span>
<span class="go">&lt;/logger&gt;</span>
</pre></div>
</div>
<p>You may also configure the file being logged to by changing the path under <code class="docutils literal notranslate"><span class="pre">&lt;file&gt;...&lt;/file&gt;</span></code>.</p>
</div>
</div>
</div>
<div class="section" id="configuring-authentication-mechanisms">
<span id="installation-configuring-authentication-mechanisms"></span><h2>Configuring Authentication Mechanisms<a class="headerlink" href="#configuring-authentication-mechanisms" title="Permalink to this headline">🔗</a></h2>
<p>CDAP provides several ways to authenticate a client’s identity:</p>
<ul class="simple">
<li><a class="reference internal" href="#installation-basic-authentication"><span class="std std-ref">Basic Authentication</span></a></li>
<li><a class="reference internal" href="#installation-ldap-authentication"><span class="std std-ref">LDAP Authentication</span></a></li>
<li><a class="reference internal" href="#installation-jaspi-authentication"><span class="std std-ref">JASPI Authentication</span></a></li>
<li><a class="reference internal" href="#installation-custom-authentication"><span class="std std-ref">Custom Authentication</span></a></li>
</ul>
<div class="section" id="basic-authentication">
<span id="installation-basic-authentication"></span><h3>Basic Authentication<a class="headerlink" href="#basic-authentication" title="Permalink to this headline">🔗</a></h3>
<p>The simplest way to identity a client is to authenticate against a realm file.
To configure basic authentication add these properties to <code class="docutils literal notranslate"><span class="pre">cdap-site.xml</span></code>:</p>
<table border="1" class="docutils">
<colgroup>
<col width="47%" />
<col width="22%" />
<col width="31%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Property</th>
<th class="head">Value</th>
<th class="head">Description</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">security.authentication.handlerClassName</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">io.cdap.cdap.security.</span></code><code class="docutils literal notranslate"><span class="pre">server.</span></code>
<code class="docutils literal notranslate"><span class="pre">BasicAuthentication</span></code><code class="docutils literal notranslate"><span class="pre">Handler</span></code></td>
<td>Name of the class handling
authentication</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal notranslate"><span class="pre">security.authentication.basic.realmfile</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;filepath&gt;</span></code></td>
<td>An absolute or relative path to the
realm file</td>
</tr>
</tbody>
</table>
<p>The realm file is of the following format:</p>
<div class="highlight-console notranslate"><div class="highlight"><pre><span></span><span class="go">username: password[,rolename ...]</span>
</pre></div>
</div>
<p>In CDAP Sandbox, the realm file can be specified as <code class="docutils literal notranslate"><span class="pre">conf/realmfile</span></code> and placed with
the <code class="docutils literal notranslate"><span class="pre">cdap-site.xml</span></code> file. Note that it is not advisable to use this method of
authentication. In production, we recommend using any of the other methods described below.</p>
</div>
<div class="section" id="ldap-authentication">
<span id="installation-ldap-authentication"></span><h3>LDAP Authentication<a class="headerlink" href="#ldap-authentication" title="Permalink to this headline">🔗</a></h3>
<p>You can configure CDAP to authenticate against an LDAP instance by adding these
properties to <code class="docutils literal notranslate"><span class="pre">cdap-site.xml</span></code>:</p>
<table border="1" class="docutils">
<colgroup>
<col width="47%" />
<col width="22%" />
<col width="31%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Property</th>
<th class="head">Value</th>
<th class="head">Description</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">security.authentication.handlerClassName</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">io.cdap.cdap.security.</span></code><code class="docutils literal notranslate"><span class="pre">server.</span></code>
<code class="docutils literal notranslate"><span class="pre">LDAPAuthentication</span></code><code class="docutils literal notranslate"><span class="pre">Handler</span></code></td>
<td>Name of the class handling
authentication</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal notranslate"><span class="pre">security.authentication.loginmodule.className</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">io.cdap.cdap.security.</span></code><code class="docutils literal notranslate"><span class="pre">server.</span></code>
<code class="docutils literal notranslate"><span class="pre">LDAPLoginModule</span></code></td>
<td>Name of a class used as a custom login
module for authentication</td>
</tr>
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">security.authentication.handler.debug</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">false</span></code></td>
<td>Set to <code class="docutils literal notranslate"><span class="pre">true</span></code> to enable debugging</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal notranslate"><span class="pre">security.authentication.handler.hostname</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;hostname&gt;</span></code></td>
<td>LDAP server host</td>
</tr>
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">security.authentication.handler.port</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;port&gt;</span></code></td>
<td>LDAP server port</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal notranslate"><span class="pre">security.authentication.handler.userBaseDn</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;userBaseDn&gt;</span></code></td>
<td>Distinguished Name of the root for
user account entries in the LDAP
directory</td>
</tr>
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">security.authentication.handler.userRdnAttribute</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;userRdnAttribute&gt;</span></code></td>
<td>LDAP Object attribute for username
when search by role DN</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal notranslate"><span class="pre">security.authentication.handler.userObjectClass</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;userObjectClass&gt;</span></code></td>
<td>LDAP Object class used to store user
entries</td>
</tr>
</tbody>
</table>
<p>In addition, you may configure these optional properties in <code class="docutils literal notranslate"><span class="pre">cdap-site.xml</span></code>:</p>
<table border="1" class="docutils">
<colgroup>
<col width="47%" />
<col width="22%" />
<col width="31%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Property</th>
<th class="head">Value</th>
<th class="head">Description</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">security.authentication.handler.userIdAttribute</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;userIdAttribute&gt;</span></code></td>
<td>LDAP Object attribute containing the
username</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal notranslate"><span class="pre">security.authentication.handler.userPasswordAttribute</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;userPasswordAttribute&gt;</span></code></td>
<td>LDAP Object attribute containing the
user password</td>
</tr>
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">security.authentication.handler.roleBaseDn</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;roleBaseDn&gt;</span></code></td>
<td>Distinguished Name of the root of the
LDAP tree to search for group
memberships</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal notranslate"><span class="pre">security.authentication.handler.roleNameAttribute</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;roleNameAttribute&gt;</span></code></td>
<td>LDAP Object attribute specifying the
group name</td>
</tr>
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">security.authentication.handler.roleMemberAttribute</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;roleMemberAttribute&gt;</span></code></td>
<td>LDAP Object attribute specifying the
group members</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal notranslate"><span class="pre">security.authentication.handler.roleObjectClass</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;roleObjectClass&gt;</span></code></td>
<td>LDAP Object class used to store group
entries</td>
</tr>
</tbody>
</table>
<p>If the LDAP instance requires binding as a specific user, you may configure
these optional properties in <code class="docutils literal notranslate"><span class="pre">cdap-security.xml</span></code>:</p>
<table border="1" class="docutils">
<colgroup>
<col width="47%" />
<col width="22%" />
<col width="31%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Property</th>
<th class="head">Value</th>
<th class="head">Description</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">security.authentication.handler.bindDn</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;bindDn&gt;</span></code></td>
<td>The Distinguished Name used to bind to
the LDAP server and search the
directory</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal notranslate"><span class="pre">security.authentication.handler.bindPassword</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;bindPassword&gt;</span></code></td>
<td>The password used to bind to the LDAP
server</td>
</tr>
</tbody>
</table>
<p>To enable SSL between the authentication server and the LDAP instance, configure
these properties in <code class="docutils literal notranslate"><span class="pre">cdap-site.xml</span></code>:</p>
<table border="1" class="docutils">
<colgroup>
<col width="48%" />
<col width="14%" />
<col width="7%" />
<col width="31%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Property</th>
<th class="head">Default Value</th>
<th class="head">Value</th>
<th class="head">Description</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">security.authentication.handler.useLdaps</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">false</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">true</span></code></td>
<td>Set to <code class="docutils literal notranslate"><span class="pre">true</span></code> to enable use of LDAPS</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal notranslate"><span class="pre">security.authentication.handler.ldapsVerifyCertificate</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">true</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">true</span></code></td>
<td>Set to <code class="docutils literal notranslate"><span class="pre">true</span></code> to enable verification
of the SSL certificate used by the
LDAP server</td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="ldap-with-active-directory">
<h3>LDAP with Active Directory<a class="headerlink" href="#ldap-with-active-directory" title="Permalink to this headline">🔗</a></h3>
<p>The following properties are listed as “optional” for LDAP but
are required if you are using LDAP with Active Directory.</p>
<ul class="simple">
<li>security.authentication.handler.userIdAttribute</li>
<li>security.authentication.handler.bindDn</li>
<li>security.authentication.handler.bindPassword</li>
</ul>
<p>When using group based authentication, you will need the following properties to further filter the access.</p>
<ul class="simple">
<li>security.authentication.handler.roleBaseDn</li>
<li>security.authentication.handler.roleMemberAttribute</li>
<li>security.authentication.handler.roleNameAttribute</li>
<li>security.authentication.handler.roleObjectClass</li>
</ul>
<p>For Active Directory, the property <code class="docutils literal notranslate"><span class="pre">security.authentication.handler.userBaseDn</span></code> should NOT include the group information.
It should return the full list of users in the organization or domain. The group information should be included in the property
<code class="docutils literal notranslate"><span class="pre">security.authentication.handler.roleBaseDn</span></code> and will only allow access to these users.</p>
</div>
<div class="section" id="jaspi-authentication">
<span id="installation-jaspi-authentication"></span><h3>JASPI Authentication<a class="headerlink" href="#jaspi-authentication" title="Permalink to this headline">🔗</a></h3>
<p>To authenticate a user using JASPI (Java Authentication Service Provider Interface) add
these properties to <code class="docutils literal notranslate"><span class="pre">cdap-site.xml</span></code>:</p>
<table border="1" class="docutils">
<colgroup>
<col width="47%" />
<col width="22%" />
<col width="31%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Property</th>
<th class="head">Value</th>
<th class="head">Description</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">security.authentication.handlerClassName</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">io.cdap.cdap.security.</span></code><code class="docutils literal notranslate"><span class="pre">server.</span></code>
<code class="docutils literal notranslate"><span class="pre">JASPIAuthentication</span></code><code class="docutils literal notranslate"><span class="pre">Handler</span></code></td>
<td>Name of the class handling
authentication</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal notranslate"><span class="pre">security.authentication.loginmodule.className</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;custom-login-module&gt;</span></code></td>
<td>Name of the class of the login module
handling authentication</td>
</tr>
</tbody>
</table>
<p>In addition, any properties with the prefix <code class="docutils literal notranslate"><span class="pre">security.authentication.handler.</span></code>,
such as <code class="docutils literal notranslate"><span class="pre">security.authentication.handler.hostname</span></code>, will be provided to the handler.
These properties, stripped of the prefix, will be used to instantiate the
<code class="docutils literal notranslate"><span class="pre">javax.security.auth.login.Configuration</span></code> used by the <code class="docutils literal notranslate"><span class="pre">LoginModule</span></code>.</p>
</div>
<div class="section" id="custom-authentication">
<span id="installation-custom-authentication"></span><h3>Custom Authentication<a class="headerlink" href="#custom-authentication" title="Permalink to this headline">🔗</a></h3>
<p>To use a Custom Authentication mechanism, set the
<code class="docutils literal notranslate"><span class="pre">security.authentication.handlerClassName</span></code> in <code class="docutils literal notranslate"><span class="pre">cdap-site.xml</span></code> with the custom
handler’s classname. Any properties set in either <code class="docutils literal notranslate"><span class="pre">cdap-site.xml</span></code> or <code class="docutils literal notranslate"><span class="pre">cdap-security.xml</span></code>
and that are prefixed with <code class="docutils literal notranslate"><span class="pre">security.authentication.handler.</span></code> are available through a
<code class="docutils literal notranslate"><span class="pre">Map&lt;String,</span> <span class="pre">String&gt;</span></code> object and can be used to configure the handler.</p>
<p>To make your custom handler class available to the authentication service, copy your
packaged jar file (and any additional dependency jars) to the <code class="docutils literal notranslate"><span class="pre">security/lib/</span></code> directory
within your CDAP installation (typically under <code class="docutils literal notranslate"><span class="pre">/opt/cdap</span></code>).</p>
<p>The 开发手册 <a class="reference external" href="../../../developer-manual/security/custom-authentication.html#developer-custom-authentication" title="(in Cask Data Application Platform v6.1.1)"><span class="xref std std-ref">Custom Authentication</span></a> section shows
how to create a Custom Authentication Mechanism.</p>
</div>
<div class="section" id="configuring-exemptions-from-authentication">
<span id="configuring-auth-exemptions"></span><h3>Configuring Exemptions from Authentication<a class="headerlink" href="#configuring-exemptions-from-authentication" title="Permalink to this headline">🔗</a></h3>
<p>Sometimes you need to exempt certain URLs from authentication. For example, you may want to secure
your entire application, except that you want to allow sending data to a stream by unauthenticated clients.
For this, you can configure the CDAP Router to bypass the authentication for URLs that match a given
regular expression, by adding this property in <code class="docutils literal notranslate"><span class="pre">cdap-site.xml</span></code>:</p>
<table border="1" class="docutils">
<colgroup>
<col width="40%" />
<col width="16%" />
<col width="44%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Property</th>
<th class="head">Value</th>
<th class="head">Description</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">router.bypass.auth.regex</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;reg-exp&gt;</span></code></td>
<td>Regular expression to match URLs that are
exempt from authentication.</td>
</tr>
</tbody>
</table>
<p>For example, the following configuration in <code class="docutils literal notranslate"><span class="pre">cdap-site.xml</span></code> will allow unauthenticated
posting to all streams in the default namespace:</p>
<div class="highlight-console notranslate"><div class="highlight"><pre><span></span><span class="go">&lt;property&gt;</span>
<span class="go">  &lt;name&gt;router.bypass.auth.regex&lt;/name&gt;</span>
<span class="go">  &lt;value&gt;/v3/namespaces/default/streams/[^/]+&lt;/value&gt;</span>
<span class="go">&lt;/property&gt;</span>
</pre></div>
</div>
<p>This must be configured on every node that runs the CDAP Router.</p>
</div>
</div>
<div class="section" id="testing-perimeter-security">
<span id="testing-security"></span><span id="id2"></span><h2>Testing Perimeter Security<a class="headerlink" href="#testing-perimeter-security" title="Permalink to this headline">🔗</a></h2>
<p>To ensure that you’ve configured security correctly, run these simple tests to verify that
the security components are working as expected. See the <span class="xref std std-ref">CDAP 参考手册: HTTP
RESTful API</span> for information on the conventions used for
these examples. Note that if <a class="reference internal" href="#running-servers-with-ssl"><span class="std std-ref">SSL is enabled for CDAP Servers</span></a>,
then the <span class="xref std std-ref">base URL</span> used in these examples
will use <code class="docutils literal notranslate"><span class="pre">https</span></code> instead of <code class="docutils literal notranslate"><span class="pre">http</span></code>.</p>
<ul>
<li><p class="first">After configuring CDAP as described above, start (or restart) CDAP and attempt to make a request:</p>
<div class="highlight-console notranslate"><div class="highlight"><pre><span></span><span class="go">GET /v3/apps</span>
</pre></div>
</div>
<p>such as:</p>

<script type="text/javascript">

  $(function tabbedparsedliteral6() {
    var tabs = ['linux', 'windows'];
    var mapping = {'windows': 'windows', 'linux': 'linux'};
    var tabSetID = 'linux-windows';
    for (var i = 0; i < tabs.length; i++) {
      var tab = tabs[i];
      $("#tabbedparsedliteral6 .example-tab-" + tab).click(changeExampleTab(tab, mapping, "tabbedparsedliteral6", tabSetID));
    }
  });

</script>
<div id="tabbedparsedliteral6" class="tabbed-parsed-literal dependent-linux-windows">
<ul class="tabbed-parsed-literal nav-tabs">
<li class="example-tab example-tab-linux active"><a href="#">Linux</a></li>
<li class="example-tab example-tab-windows "><a href="#">Windows</a></li>
</ul>

<div class="tab-contents">

<div class="tab-pane tab-pane-linux active">
<div class="code code-tab">
<div class="highlight-console">
<!-- tabbed-parsed-literal start -->
<div class="highlight"><pre><span></span><span class="gp">$</span> curl -v -w<span class="s2">&quot;\n&quot;</span> -X GET <span class="s2">&quot;http://localhost:11015/v3/namespaces/default/apps&quot;</span>
</pre></div>
<!-- tabbed-parsed-literal end --></div>
</div>
</div>
<div class="tab-pane tab-pane-windows ">
<div class="code code-tab">
<div class="highlight-shell-session">
<!-- tabbed-parsed-literal start -->
<div class="highlight"><pre><span></span><span class="gp">&gt;</span> curl -v -X GET <span class="s2">&quot;http://localhost:11015/v3/namespaces/default/apps&quot;</span>
</pre></div>
<!-- tabbed-parsed-literal end --></div>
</div>
</div>
</div>
</div>
<p>This should return a <code class="docutils literal notranslate"><span class="pre">401</span> <span class="pre">Unauthorized</span></code> response with a list of authentication URIs in
the response body. For example:</p>
<div class="highlight-console notranslate"><div class="highlight"><pre><span></span><span class="go">{&quot;auth_uri&quot;:[&quot;http://localhost:10009/token&quot;]}</span>
</pre></div>
</div>
</li>
<li><p class="first">Submit a username and password to one of the authentication URIs (<code class="docutils literal notranslate"><span class="pre">&lt;auth-uri&gt;</span></code>) to
obtain an <code class="docutils literal notranslate"><span class="pre">AccessToken</span></code> by submitting a <a class="reference external" href="https://en.wikipedia.org/wiki/Basic_access_authentication#Client_side">Basic Authorization header</a> with the
username and password:</p>
<div class="highlight-console notranslate"><div class="highlight"><pre><span></span><span class="go">GET &lt;auth-uri&gt; &quot;Authorization: Basic &lt;encoded_username_password_string&gt;&quot;</span>
</pre></div>
</div>
<p>Using <code class="docutils literal notranslate"><span class="pre">curl</span></code>, assuming a CDAP authentication server at the URI <code class="docutils literal notranslate"><span class="pre">localhost:10009</span></code> and
that you have defined a <em>username:password</em> pair such as <code class="docutils literal notranslate"><span class="pre">cdap:bigdata</span></code> in the
realm file, you can use <code class="docutils literal notranslate"><span class="pre">curl</span></code>’s <code class="docutils literal notranslate"><span class="pre">-u</span></code> option to create the header:</p>

<script type="text/javascript">

  $(function tabbedparsedliteral7() {
    var tabs = ['linux', 'windows'];
    var mapping = {'windows': 'windows', 'linux': 'linux'};
    var tabSetID = 'linux-windows';
    for (var i = 0; i < tabs.length; i++) {
      var tab = tabs[i];
      $("#tabbedparsedliteral7 .example-tab-" + tab).click(changeExampleTab(tab, mapping, "tabbedparsedliteral7", tabSetID));
    }
  });

</script>
<div id="tabbedparsedliteral7" class="tabbed-parsed-literal dependent-linux-windows">
<ul class="tabbed-parsed-literal nav-tabs">
<li class="example-tab example-tab-linux active"><a href="#">Linux</a></li>
<li class="example-tab example-tab-windows "><a href="#">Windows</a></li>
</ul>

<div class="tab-contents">

<div class="tab-pane tab-pane-linux active">
<div class="code code-tab">
<div class="highlight-console">
<!-- tabbed-parsed-literal start -->
<div class="highlight"><pre><span></span><span class="gp">$</span> curl -v -w<span class="s2">&quot;\n&quot;</span> -X GET <span class="s2">&quot;http://localhost:10009/token&quot;</span> -u cdap:bigdata
</pre></div>
<!-- tabbed-parsed-literal end --></div>
</div>
</div>
<div class="tab-pane tab-pane-windows ">
<div class="code code-tab">
<div class="highlight-shell-session">
<!-- tabbed-parsed-literal start -->
<div class="highlight"><pre><span></span><span class="gp">&gt;</span> curl -v -X GET <span class="s2">&quot;http://localhost:10009/token&quot;</span> -u cdap:bigdata
</pre></div>
<!-- tabbed-parsed-literal end --></div>
</div>
</div>
</div>
</div>
<p>This should return a <code class="docutils literal notranslate"><span class="pre">200</span> <span class="pre">OK</span></code> response with the <code class="docutils literal notranslate"><span class="pre">AccessToken</span></code> string in the response
body (formatted to fit):</p>
<div class="highlight-console notranslate"><div class="highlight"><pre><span></span><span class="go">{&quot;access_token&quot;:&quot;AghjZGFwAI7e8p65Uo7OpfG5UrD87psGQE0u0sFDoqxtacdRR5GxEb6bkTypP7mXdqvqqnLmfxOS&quot;,</span>
<span class="go">  &quot;token_type&quot;:&quot;Bearer&quot;,&quot;expires_in&quot;:86400}</span>
</pre></div>
</div>
</li>
<li><p class="first">Reattempt the first command, but this time include the <code class="docutils literal notranslate"><span class="pre">access_token</span></code> as a header in the request:</p>
<div class="highlight-console notranslate"><div class="highlight"><pre><span></span><span class="go">GET /v3/apps &quot;Authorization: Bearer &lt;access_token&gt;&quot;</span>
</pre></div>
</div>
<p>such as (formatted to fit):</p>

<script type="text/javascript">

  $(function tabbedparsedliteral8() {
    var tabs = ['linux', 'windows'];
    var mapping = {'windows': 'windows', 'linux': 'linux'};
    var tabSetID = 'linux-windows';
    for (var i = 0; i < tabs.length; i++) {
      var tab = tabs[i];
      $("#tabbedparsedliteral8 .example-tab-" + tab).click(changeExampleTab(tab, mapping, "tabbedparsedliteral8", tabSetID));
    }
  });

</script>
<div id="tabbedparsedliteral8" class="tabbed-parsed-literal dependent-linux-windows">
<ul class="tabbed-parsed-literal nav-tabs">
<li class="example-tab example-tab-linux active"><a href="#">Linux</a></li>
<li class="example-tab example-tab-windows "><a href="#">Windows</a></li>
</ul>

<div class="tab-contents">

<div class="tab-pane tab-pane-linux active">
<div class="code code-tab">
<div class="highlight-console">
<!-- tabbed-parsed-literal start -->
<div class="highlight"><pre><span></span><span class="gp">$</span> curl -v -w<span class="s2">&quot;\n&quot;</span> -X GET <span class="s2">&quot;http://localhost:11015/v3/namespaces/default/apps&quot;</span> <span class="se">\</span>
-H <span class="s2">&quot;Authorization: Bearer AghjZGFwAI7e8p65Uo7OpfG5UrD87psGQE0u0sFDoqxtacdRR5GxEb6bkTypP7mXdqvqqnLmfxOS&quot;</span></span>
</pre></div>
<!-- tabbed-parsed-literal end --></div>
</div>
</div>
<div class="tab-pane tab-pane-windows ">
<div class="code code-tab">
<div class="highlight-shell-session">
<!-- tabbed-parsed-literal start -->
<div class="highlight"><pre><span></span><span class="gp">&gt;</span> curl -v -X GET <span class="s2">&quot;http://localhost:11015/v3/namespaces/default/apps&quot;</span> ^
<span class="go">-H &quot;Authorization: Bearer AghjZGFwAI7e8p65Uo7OpfG5UrD87psGQE0u0sFDoqxtacdRR5GxEb6bkTypP7mXdqvqqnLmfxOS&quot;</span>
</pre></div>
<!-- tabbed-parsed-literal end --></div>
</div>
</div>
</div>
</div>
<p>This should return a <code class="docutils literal notranslate"><span class="pre">200</span> <span class="pre">OK</span></code> response.</p>
</li>
<li><p class="first">Visiting the CDAP UI should redirect you to a login page that prompts for credentials.
Entering the credentials that you have configured should let you work with the CDAP UI as normal.</p>
</li>
</ul>
</div>
</div>

</div>
    <div class="col-md-2">
      <div id="right-sidebar" class="bs-sidenav scrollable-y" role="complementary">
        <div id="localtoc-scrollspy">
        </div>
      </div>
    </div></div>
</div>
<!-- block main content end -->
<!-- block footer -->
<footer class="footer">
      <div class="container">
        <div class="row">
          <div class="col-md-2 footer-left"><a title="Security" href="index.html" />Previous</a></div>
          <div class="col-md-8 footer-center"><a class="footer-tab-link" href="../table-of-contents/../../reference-manual/licenses/index.html">Copyright</a> &copy; 2014-2020 Cask Data, Inc.&bull; <a class="footer-tab-link" href="//docs.cask.co/cdap/6.1.1/cdap-docs-6.1.1-web.zip" rel="nofollow">Download</a> an archive or
<a class="footer-tab-link" href="//docs.cask.co/cdap">switch the version</a> of the documentation
          </div>
          <div class="col-md-2 footer-right"><a title="Authorization" href="authorization.html" />Next</a></div>
        </div>
      </div>
    </footer>
<!-- block footer end -->
<script type="text/javascript" src="../_static/bootstrap-3.3.6/js/bootstrap.min.js"></script><script type="text/javascript" src="../_static/js/bootstrap-sphinx.js"></script><script type="text/javascript" src="../_static/js/abixTreeList-2.js"></script><script type="text/javascript" src="../_static/js/cdap-dynamicscrollspy-4.js"></script><script type="text/javascript" src="../_static/js/cdap-version-menu.js"></script><script type="text/javascript" src="../_static/js/copy-to-clipboard.js"></script><script type="text/javascript" src="../_static/js/jquery.mousewheel.min.js"></script><script type="text/javascript" src="../_static/js/jquery.mCustomScrollbar.js"></script><script type="text/javascript" src="../_static/js/js.cookie.js"></script><script type="text/javascript" src="../_static/js/tabbed-parsed-literal-0.2.js"></script><script type="text/javascript" src="../_static/js/cdap-onload-javascript.js"></script><script type="text/javascript" src="../_static/js/cdap-version-menu.js"></script>
    <script src="https://cdap.gitee.io/docs/cdap/json-versions.js"/></script>
  </body>
</html>